From 3ebd0e35f43d9ca282886aabce52fbb7fc7e1fc5 Mon Sep 17 00:00:00 2001
From: Kevin Krakauer <krakauer@google.com>
Date: Tue, 19 Jun 2018 17:16:39 -0700
Subject: runsc: Whitelist lstat, as it is now used in specutils.

When running multi-container, child containers are added after the filters have
been installed. Thus, lstat must be in the set of allowed syscalls.

PiperOrigin-RevId: 201269550
Change-Id: I03f2e6675a53d462ed12a0f651c10049b76d4c52
---
 runsc/boot/filter/config.go | 61 ++++++++++++++++++++++++---------------------
 1 file changed, 32 insertions(+), 29 deletions(-)

diff --git a/runsc/boot/filter/config.go b/runsc/boot/filter/config.go
index 4e286c5da..fdc3e02c6 100644
--- a/runsc/boot/filter/config.go
+++ b/runsc/boot/filter/config.go
@@ -24,35 +24,38 @@ import (
 // allowedSyscalls is the set of syscalls executed by the Sentry
 // to the host OS.
 var allowedSyscalls = seccomp.SyscallRules{
-	syscall.SYS_ACCEPT:          {},
-	syscall.SYS_ARCH_PRCTL:      {},
-	syscall.SYS_CLOCK_GETTIME:   {},
-	syscall.SYS_CLONE:           {},
-	syscall.SYS_CLOSE:           {},
-	syscall.SYS_DUP:             {},
-	syscall.SYS_DUP2:            {},
-	syscall.SYS_EPOLL_CREATE1:   {},
-	syscall.SYS_EPOLL_CTL:       {},
-	syscall.SYS_EPOLL_PWAIT:     {},
-	syscall.SYS_EPOLL_WAIT:      {},
-	syscall.SYS_EVENTFD2:        {},
-	syscall.SYS_EXIT:            {},
-	syscall.SYS_EXIT_GROUP:      {},
-	syscall.SYS_FALLOCATE:       {},
-	syscall.SYS_FCHMOD:          {},
-	syscall.SYS_FCNTL:           {},
-	syscall.SYS_FSTAT:           {},
-	syscall.SYS_FSYNC:           {},
-	syscall.SYS_FTRUNCATE:       {},
-	syscall.SYS_FUTEX:           {},
-	syscall.SYS_GETDENTS64:      {},
-	syscall.SYS_GETPID:          {},
-	unix.SYS_GETRANDOM:          {},
-	syscall.SYS_GETSOCKOPT:      {},
-	syscall.SYS_GETTID:          {},
-	syscall.SYS_GETTIMEOFDAY:    {},
-	syscall.SYS_LISTEN:          {},
-	syscall.SYS_LSEEK:           {},
+	syscall.SYS_ACCEPT:        {},
+	syscall.SYS_ARCH_PRCTL:    {},
+	syscall.SYS_CLOCK_GETTIME: {},
+	syscall.SYS_CLONE:         {},
+	syscall.SYS_CLOSE:         {},
+	syscall.SYS_DUP:           {},
+	syscall.SYS_DUP2:          {},
+	syscall.SYS_EPOLL_CREATE1: {},
+	syscall.SYS_EPOLL_CTL:     {},
+	syscall.SYS_EPOLL_PWAIT:   {},
+	syscall.SYS_EPOLL_WAIT:    {},
+	syscall.SYS_EVENTFD2:      {},
+	syscall.SYS_EXIT:          {},
+	syscall.SYS_EXIT_GROUP:    {},
+	syscall.SYS_FALLOCATE:     {},
+	syscall.SYS_FCHMOD:        {},
+	syscall.SYS_FCNTL:         {},
+	syscall.SYS_FSTAT:         {},
+	syscall.SYS_FSYNC:         {},
+	syscall.SYS_FTRUNCATE:     {},
+	syscall.SYS_FUTEX:         {},
+	syscall.SYS_GETDENTS64:    {},
+	syscall.SYS_GETPID:        {},
+	unix.SYS_GETRANDOM:        {},
+	syscall.SYS_GETSOCKOPT:    {},
+	syscall.SYS_GETTID:        {},
+	syscall.SYS_GETTIMEOFDAY:  {},
+	syscall.SYS_LISTEN:        {},
+	syscall.SYS_LSEEK:         {},
+	// TODO: Remove SYS_LSTAT when executable lookup moves
+	// into the gofer.
+	syscall.SYS_LSTAT:           {},
 	syscall.SYS_MADVISE:         {},
 	syscall.SYS_MINCORE:         {},
 	syscall.SYS_MMAP:            {},
-- 
cgit v1.2.3